2d98c69a14a7c5f1e81dbea54ce0e340_NeikiAnalytics

Sharing

Copy URL

Twitter E-mail

General

Target

2d98c69a14a7c5f1e81dbea54ce0e340_NeikiAnalytics
Size

7.6MB
MD5

2d98c69a14a7c5f1e81dbea54ce0e340
SHA1

aaef61c011f98701bd12aae0a43662c49b373c5e
SHA256

cd8d1a17d6a0495bd52e0200d8bcfc0ead6544fd7607b2b5ab4c05e9840d8522
SHA512

53ce5d5d6491a7b8fba552fffc14c8e44aec5c343faa4a8ecc148a0b9be481dd8aaa3532702b6f3eab2447654344012583bc24a2f2cc40c97f1d4d839c9bebf9
SSDEEP

196608:4bHKDbL3FVnUxksCA9LJ+Q1Z33vskTMXD+5ZFFLqt2DY:b/zUxkhELZzUkIT0ZDqIDY

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
sample	vmprotect

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2d98c69a14a7c5f1e81dbea54ce0e340_NeikiAnalytics

Files

2d98c69a14a7c5f1e81dbea54ce0e340_NeikiAnalytics
.sys windows:10 windows x64 arch:x64

1a9f73a65b0a446717a70a1bdf18cbce

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

ObQueryObjectAuditingByHandle
sprintf
PsGetProcessDebugPort
ObFindHandleForObject
__C_specific_handler
PsProcessType
PsThreadType
KeInitializeEvent
KeSetEvent
KeWaitForSingleObject
ExAllocatePool
ExAllocatePoolWithTag
ExFreePoolWithTag
PsCreateSystemThread
PsTerminateSystemThread
ZwClose
KeBugCheck
PsGetCurrentThreadId
KeStackAttachProcess
KeUnstackDetachProcess
wcsstr
_strnicmp
PsGetProcessWow64Process
PsGetProcessImageFileName
PsGetProcessPeb
strcpy_s
RtlInitAnsiString
ExEventObjectType
wcscpy_s
wcsncpy_s
ZwOpenKey
ZwEnumerateKey
ZwQueryKey
PsGetThreadId
ZwQueryVirtualMemory
ZwQuerySystemInformation
MmUserProbeAddress
strcat_s
ZwCreateFile
ZwWriteFile
vsprintf_s
sprintf_s
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
wcsncat
_wcsicmp
MmAllocateNonCachedMemory
MmFreeNonCachedMemory
PsWrapApcWow64Thread
PsIsThreadTerminating
PsGetThreadTeb
KeInitializeApc
KeInsertQueueApc
KeTestAlertThread
RtlCompareUnicodeString
MmBuildMdlForNonPagedPool
MmMapLockedPagesSpecifyCache
IoAllocateMdl
IoFreeMdl
ZwOpenEvent
ZwWaitForSingleObject
ZwSetEvent
RtlGetVersion
MmIsAddressValid
MmGetPhysicalAddress
NtTraceControl
ObReferenceObjectByHandleWithTag
ZwOpenFile
ZwQueryInformationFile
ZwReadFile
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
RtlVolumeDeviceToDosName
IoCreateFileEx
ZwOpenProcess
MmFlushImageSection
ZwQueryObject
ZwDeleteFile
ZwDuplicateObject
IoFileObjectType
MmGetSystemRoutineAddress
_stricmp
RtlCompareMemory
KeBugCheckEx
NtDeviceIoControlFile
ObReferenceObjectByName
ZwSetSystemInformation
IoDriverObjectType
IoAllocateIrp
IoFreeIrp
ExQueueWorkItem
PsGetThreadProcessId
KeDelayExecutionThread
MmAllocateContiguousMemorySpecifyCache
MmGetVirtualForPhysical
ZwAllocateVirtualMemory
ZwFreeVirtualMemory
RtlImageDirectoryEntryToData
MmUnmapLockedPages
MmMapIoSpace
MmUnmapIoSpace
IoGetStackLimits
RtlCaptureContext
strncmp
strncpy
_wcslwr
ZwTerminateProcess
LsaFreeReturnBuffer
KeAttachProcess
KeDetachProcess
SeQueryAuthenticationIdToken
PsReferencePrimaryToken
PsLookupProcessByProcessId
PsLookupThreadByThreadId
PsGetProcessInheritedFromUniqueProcessId
ZwQueryInformationProcess
ObSetHandleAttributes
PsSuspendProcess
PsResumeProcess
PsIsSystemProcess
PsInitialSystemProcess
PsGetProcessCreateTimeQuadPart
PsReferenceProcessFilePointer
ZwQueryValueKey
strstr
wcsncmp
wcsncpy
_strlwr
RtlAnsiStringToUnicodeString
RtlUnicodeStringToAnsiString
RtlFreeUnicodeString
RtlFreeAnsiString
RtlCopyUnicodeString
RtlAppendUnicodeStringToString
RtlTimeToTimeFields
KeClearEvent
KeSetSystemGroupAffinityThread
KeRevertToUserGroupAffinityThread
KeQueryTimeIncrement
KeQueryActiveProcessorCountEx
KeGetProcessorNumberFromIndex
ExSystemTimeToLocalTime
IoCreateSynchronizationEvent
PsSetLoadImageNotifyRoutine
PsIsSystemThread
ObGetObjectType
PsGetCurrentThreadTeb
PsGetThreadProcess
PsGetCurrentThreadWin32Thread
ZwQueryInformationThread
PsGetContextThread
PsGetCurrentThreadProcess
toupper
strrchr
RtlCharToInteger
sscanf_s
_ultoa_s
memchr
RtlInitializeBitMap
RtlClearBits
RtlSetBits
KeGetCurrentProcessorNumberEx
MmFreeContiguousMemory
KeSaveStateForHibernate
PsSetThreadWin32Thread
PsGetThreadWin32Thread
RtlIntegerToUnicodeString
ObRegisterCallbacks
ObUnRegisterCallbacks
PsSetCreateProcessNotifyRoutineEx
PsRemoveCreateThreadNotifyRoutine
PsRemoveLoadImageNotifyRoutine
CmUnRegisterCallback
isspace
atoi
IoCancelIrp
IoReuseIrp
PsGetCurrentProcessId
PsGetProcessId
ObfDereferenceObject
ObCloseHandle
ObReferenceObjectByHandle
IoGetCurrentProcess
ExGetPreviousMode
ProbeForWrite
ProbeForRead
DbgPrint
RtlEqualUnicodeString
RtlInitUnicodeString
IoReleaseRemoveLockEx
IofCompleteRequest
KeReleaseSpinLockFromDpcLevel
KeAcquireSpinLockAtDpcLevel
_stricmp
NtQuerySystemInformation
ZwClose
ZwQueryValueKey
ZwOpenKey
RtlInitUnicodeString
ZwWaitForSingleObject
ZwDeviceIoControlFile
ZwOpenFile
_wcsnicmp
ZwEnumerateKey
ZwCreateEvent
MmGetSystemRoutineAddress
ZwCreateFile
__C_specific_handler
KeSetSystemAffinityThread
KeQueryActiveProcessors
KeQueryTimeIncrement
DbgBreakPointWithStatus
RtlTimeToTimeFields
ExSystemTimeToLocalTime
IoAllocateMdl
IoFreeMdl
MmUnlockPages
MmMapLockedPagesSpecifyCache
MmProbeAndLockPages
KeWaitForSingleObject
KeReleaseMutex
KeInitializeMutex
ExFreePoolWithTag
ExAllocatePool
KeRevertToUserAffinityThread
DbgPrint

ksecdd.sys

GetSecurityUserInfo

fltmgr.sys

FltReleaseFileNameInformation
FltParseFileNameInformation
FltEnumerateFilters
FltObjectDereference
FltGetFileNameInformation

netio.sys

WskCaptureProviderNPI
WskReleaseProviderNPI
WskDeregister
WskRegister

hal

KeQueryPerformanceCounter

Sections

.text
Size: 244KB - Virtual size: 244KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 152KB - Virtual size: 152KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp0
Size: 2.9MB - Virtual size: 2.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp1
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp2
Size: 4.3MB - Virtual size: 4.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 212B - Virtual size: 212B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.l1
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

1a9f73a65b0a446717a70a1bdf18cbce

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

ksecdd.sys

fltmgr.sys

netio.sys

hal

Sections

.text Size: 244KB - Virtual size: 244KB

.rdata Size: 28KB - Virtual size: 28KB

.data Size: 152KB - Virtual size: 152KB

.pdata Size: 12KB - Virtual size: 12KB

INIT Size: 8KB - Virtual size: 8KB

.vmp0 Size: 2.9MB - Virtual size: 2.9MB

.vmp1 Size: 4KB - Virtual size: 4KB

.vmp2 Size: 4.3MB - Virtual size: 4.3MB

.reloc Size: 212B - Virtual size: 212B

.l1 Size: 12KB - Virtual size: 12KB

.text
Size: 244KB - Virtual size: 244KB

.rdata
Size: 28KB - Virtual size: 28KB

.data
Size: 152KB - Virtual size: 152KB

.pdata
Size: 12KB - Virtual size: 12KB

INIT
Size: 8KB - Virtual size: 8KB

.vmp0
Size: 2.9MB - Virtual size: 2.9MB

.vmp1
Size: 4KB - Virtual size: 4KB

.vmp2
Size: 4.3MB - Virtual size: 4.3MB

.reloc
Size: 212B - Virtual size: 212B

.l1
Size: 12KB - Virtual size: 12KB